Russian criminals have stolen 1.2 billion user names and passwords combinations, including more than 500 million email addresses.
That works out to be near a third of the worlds email addressees.
This accumulation of Internet passwords over the last few years could be the largest amount of stolen digital credentials in history.
US firm Hold Security, based in Milwaukee, discovered the records which included confidential material gathered from 420,000 websites, including household names and smaller websites.
Hold Security has uncovered many significant hacks in the past, including last years theft of tens of millions of records from Adobe Systems.
The firm would not identify any of the targeted websites, citing non-disclosure agreements and were reluctant to name companies who still remained vulnerable to prevent further exploitation.
“Hackers did not just target US companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. Most of these sites are still vulnerable,” said Alex Holden, the founder and chief information security officer of Hold Security.
Holden said the criminals started making money from sending out spam about fake products like weight-loss pills.
“It’s really not that impactful to the individuals, and that’s why they were under the radar for so long,” Holden said. “They’ve ignored financial information almost completely.”
The gang’s successful accumulation of so many passwords shows how common weak security procedures are on websites of all sizes.
The criminals started their stash of user data by simply buying it from the black market. This year their collection has significantly grown from the use of an automated program that searches the Internet for vulnerabilities in websites.
So far they haven’t sold many of the Internet credentials online. But if they were to sell records back onto the black market, they would make a huge profit.
Although credit cards can be cancelled, identities can be stolen from the personal information they hold such as email addresses and passwords. People tend to have the same password for different sites, including online banking. Criminals can test the stolen credentials on different websites and gather more valuable information. – Complied by Paige Pollard
Top photo from Erika’s Flickr photostream.